Privacy Policy
Last updated: May 2026
1. Data Controller
The data controller responsible for this website and all ComStack products and services is:
Transformento S.L.
Calle Graham Bell, 6 – 1, Oficina 12
29590 Málaga, Spain
Email: support@comstack.ai
Phone: +34 919 935 235
2. Scope
This privacy policy covers all ComStack products and services, including:
- This website (
comstack.ai) - The ComStack Chrome Extension — a content management tool for operators
- The ComStack MCP Connector — integration with AI assistants (e.g. Claude)
- WhatsApp Business messaging operated by ComStack
3. Website
No Cookies or Tracking
This website does not use cookies of any kind — neither functional, analytical, nor advertising cookies. We do not use any tracking technologies, analytics services, or third-party scripts. No consent banner is required because no data is collected through your use of this website.
Contact Data
We only collect personal data when you voluntarily contact us by email or by phone. This may include:
- Your name
- Your email address
- Your phone number
- Any other information you choose to include in your message
We do not collect any personal data automatically through your visit to this website.
4. Chrome Extension
The ComStack Chrome Extension (“the Extension”) is a professional content management tool. It is not a consumer product and is not publicly available. Access is restricted to operators and content managers who have been granted access to a ComStack project as part of a business engagement with Transformento S.L.
Operators use the Extension to capture content from websites they manage or work with, and publish it to their own ComStack-powered projects. The Extension is part of a professional publishing workflow — not a general-purpose browsing tool.
Authentication
The Extension uses Google Sign-In to authenticate operators. When you sign in, the Extension receives your Google account email address and display name via OAuth 2.0. This information is used solely to authenticate you with the ComStack service. We do not store your OAuth token beyond the duration of your session. Authentication is handled via Firebase Authentication (Google LLC).
Content Capture
When you click “Extract & Save”, the Extension captures the HTML of the currently active browser tab — the page you are intentionally extracting as part of your publishing workflow. This content is transmitted to the ComStack API (api.comstack.ai) for AI-powered structured data extraction. The captured HTML is processed by the Gemini API (Google LLC) and is not stored beyond the duration of the extraction request. The resulting structured document is saved to your ComStack project.
The Extension does not monitor, log, or transmit your browsing history or browsing activity. It only captures content from a page when you explicitly initiate a capture as part of your workflow.
Image Handling
During a capture, the Extension fetches images referenced in the captured page HTML and uploads them to Cloudinary (Cloudinary Ltd) for storage in your project’s media library. Only images from the page you explicitly chose to capture are fetched.
Data Processed by the Extension
| Data | Purpose | Stored |
|---|---|---|
| Google account email and display name | Operator authentication | Session only |
| HTML of the captured page | AI content extraction | No — processed transiently, then discarded |
| Images found in the captured page | Project media library | Yes — in Cloudinary |
| Extracted document content and metadata | Your ComStack project | Yes — in Firestore |
Limited Use
The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.
4b. MCP Connector (AI Assistants)
The ComStack MCP Connector allows AI assistants (such as Claude by Anthropic) to manage ComStack projects on behalf of authenticated operators. This section covers data flows specific to the MCP connector.
Authentication
When you connect ComStack to an AI assistant, the assistant initiates an OAuth 2.1 authorization flow with PKCE. You sign in with your existing ComStack account (Google Sign-In via Firebase Authentication). The assistant receives an access token and a refresh token — it never sees your Google password or credentials.
Data Collected
| Data | Purpose | Stored |
|---|---|---|
| Firebase ID token (derived from your sign-in) | Authenticate each MCP tool call | Access tokens: 1 hour. Refresh tokens: 30 days. All hashed at rest. |
| OAuth client registration | Dynamic Client Registration per RFC 7591 | Retained for the lifetime of the connection. |
| Tool call arguments | Execute the requested action (e.g. create page, edit content, publish) | Logged with sensitive keys redacted. Retained for the duration of the project. |
| Publish confirmation tokens | Single-use tokens for the two-step publish flow | 5-minute TTL, deleted after use. |
Data Not Collected
The MCP connector does not access your browsing history, clipboard, files, or any data outside of your ComStack projects. Tool calls only operate on the project specified in each request.
Anthropic as a Processor
When you use the MCP connector through Claude (Anthropic), Anthropic acts as a data processor for the connector traffic. Anthropic’s privacy policy applies to data processed within their platform: https://www.anthropic.com/privacy.
Retention Summary
| Item | Retention |
|---|---|
| Access tokens | 1 hour (auto-expire) |
| Refresh tokens | 30 days (auto-expire), revoked on sign-out |
| OAuth client registrations | Lifetime of the connection |
| Audit log entries | Duration of the project |
| Publish confirmation tokens | 5 minutes (auto-delete after use) |
5. WhatsApp Business Messaging
ComStack operates a WhatsApp Business account for direct communication with clients, business partners, and operators of the ComStack platform.
What We Collect via WhatsApp
When you message us via WhatsApp, or when you consent to receive messages from us, we may process:
- Your WhatsApp phone number
- Your WhatsApp display name (if visible)
- The content of messages exchanged with us
How We Use WhatsApp Data
We use WhatsApp conversation data solely to:
- Respond to your enquiries
- Communicate service updates, onboarding information, or operational messages to contacts who have opted in
- Maintain records of business communications as required by applicable law
We do not use data obtained from WhatsApp messages for any purpose other than supporting direct communication with you. We do not use WhatsApp data for advertising, profiling, or sharing with third parties beyond WhatsApp (Meta Platforms) and any messaging platform provider we use to operate the account.
Opt-In and Opt-Out
We only send business-initiated WhatsApp messages to contacts who have given explicit consent. You may opt out at any time by replying STOP or by contacting us at support@comstack.ai. Opt-out requests are honoured immediately.
Meta as a Data Processor
WhatsApp is operated by Meta Platforms, Inc. / Meta Platforms Ireland Limited. By using WhatsApp to contact us, or by consenting to receive messages from us via WhatsApp, your data is also subject to Meta’s privacy policies: WhatsApp Privacy Policy and Meta Privacy Policy.
6. Third-Party Data Processors
We use the following third-party processors. Each receives only the data necessary to perform their function. We do not sell, rent, or share your personal data with any third party for their own commercial purposes.
| Processor | Role | Data shared | Privacy policy |
|---|---|---|---|
| Firebase Authentication (Google LLC) | Operator authentication for the Chrome Extension and ComStack platform | Email address, display name | https://policies.google.com/privacy |
| Gemini API (Google LLC) | AI-powered content extraction in the Chrome Extension | Page HTML — transient, not stored | https://policies.google.com/privacy |
| Cloudinary Ltd | Image hosting for project media libraries | Images captured via the Chrome Extension | https://cloudinary.com/privacy |
| Cloud Firestore (Google LLC) | Database for ComStack projects and documents | Document content and metadata | https://policies.google.com/privacy |
| Google Cloud / Cloud Run (Google LLC) | Hosting for the ComStack API | API requests and responses | https://cloud.google.com/terms/cloud-privacy-notice |
| Anthropic PBC | AI assistant platform (MCP connector) | Tool call arguments, project content during connector sessions | https://www.anthropic.com/privacy |
| Meta Platforms / WhatsApp | Business messaging platform | Phone number, message content | https://www.whatsapp.com/legal/privacy-policy |
7. Legal Basis for Processing (GDPR)
We process personal data on the following legal grounds under the General Data Protection Regulation (GDPR):
| Processing activity | Legal basis |
|---|---|
| Responding to contact enquiries | Legitimate interest (Art. 6(1)(f)); pre-contractual steps (Art. 6(1)(b)) |
| Chrome Extension — operator authentication | Performance of a contract (Art. 6(1)(b)) |
| Chrome Extension — content capture and extraction | Performance of a contract (Art. 6(1)(b)) |
| MCP Connector — operator authentication | Performance of a contract (Art. 6(1)(b)) |
| MCP Connector — tool call processing and audit | Performance of a contract (Art. 6(1)(b)) |
| WhatsApp — responding to inbound messages | Legitimate interest (Art. 6(1)(f)) |
| WhatsApp — outbound business messaging | Consent (Art. 6(1)(a)) |
8. Data Retention
| Data | Retention |
|---|---|
| Contact enquiry data | Duration of the resulting business relationship, then deleted |
| Chrome Extension authentication session | Session only — not persisted beyond sign-out |
| Captured page HTML | Not retained — processed transiently and discarded |
| Project documents and media (Firestore / Cloudinary) | Duration of the operator’s active account |
| MCP Connector access tokens | 1 hour (auto-expire) |
| MCP Connector refresh tokens | 30 days (auto-expire) |
| MCP Connector audit log | Duration of the project |
| WhatsApp message content | Duration required to support the communication, then deleted |
9. Data Security
All data transmitted between the Chrome Extension, the ComStack API, and third-party processors is encrypted in transit via TLS. Data stored in Firestore and Cloudinary is protected by Google Cloud and Cloudinary’s respective security controls. Access to personal data is restricted to authorised ComStack personnel only.
10. Your Rights
Under the GDPR, you have the following rights:
- Right of access — to obtain a copy of your personal data we hold.
- Right to rectification — to request correction of inaccurate or incomplete data.
- Right to erasure — to request deletion of your personal data.
- Right to restriction — to request that we limit the processing of your data.
- Right to data portability — to receive your data in a structured, commonly used format.
- Right to object — to object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
To exercise any of these rights, contact us at support@comstack.ai. We will respond within 30 days.
11. Right to Lodge a Complaint
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority in Spain is:
Agencia Española de Protección de Datos (AEPD)
www.aepd.es
12. Changes to This Policy
We may update this policy to reflect changes in our products, services, or legal requirements. Updates are published on this page with a revised “Last updated” date.
13. Contact
Transformento S.L.
Calle Graham Bell, 6 – 1, Oficina 12
29590 Málaga, Spain
Email: support@comstack.ai
Phone: +34 919 935 235